### Create OIDC Directories
Source: https://www.cilogon.org/oidc
Command to create necessary directories for OIDC setup within the Apache DocumentRoot.
```bash
mkdir -p /var/www/html/oidc/redirect
```
--------------------------------
### Extract Access and Refresh Tokens
Source: https://www.cilogon.org/oidc
Parses the token response JSON to extract the access token and refresh token into environment variables. Requires `jq` to be installed.
```bash
export CILOGON_ACCESS_TOKEN=$(jq -r .access_token < cilogon-token-response.json)
export CILOGON_REFRESH_TOKEN=$(jq -r .refresh_token < cilogon-token-response.json)
```
--------------------------------
### Example OIDC Claim Values
Source: https://www.cilogon.org/auth0
Sample values for OIDC claims received after authentication. These demonstrate the type of information that can be extracted and used by the application.
```text
OIDC_CLAIM_aud IKTrI3l4ms3nyUF6GObI1Wkt9yrmyEEM
OIDC_CLAIM_email jsmith@illinois.edu
OIDC_CLAIM_exp 1709286360
OIDC_CLAIM_family_name Smith
```
--------------------------------
### Set CILogon Client Credentials
Source: https://www.cilogon.org/oidc
Set environment variables for your registered CILogon client ID, client secret, and redirect URI. Ensure you replace the example values with your actual client credentials.
```bash
export CILOGON_CLIENT_ID=cilogon:/client_id/6e8fdae3459dac6c685c6b6de37c188c
export CILOGON_CLIENT_SECRET=euWajTysidMofassawoigDiweoj1olwa
export CILOGON_REDIRECT_URI=https://localhost/callback
```
--------------------------------
### CILogon Token Request (Success Response)
Source: https://www.cilogon.org/device
Example of a cURL command to request a token from the CILogon token endpoint, resulting in a successful response containing access, refresh, and ID tokens. This indicates the user has authorized the request.
```shell
export CLIENT_ID="cilogon:/client_id/6e8fdae3459dac6c685c6b6de37c188c"
export CLIENT_SECRET="euWajTysidMofassawoigDiweoj1olwa"
export \
DEVICE_CODE="NB2HI4DTHIXS6Y3JNRXWO33OFZXXEZZPN5QXK5DIGIXTGNJYMIZWCYZSGA2WMMJTHEZGENTDG42DSZJSH52HS4DFHVQXK5DIPJDXEYLOOQTHI4Z5GE3DENZTGE2DCMRRHAYDAJTWMVZHG2LPNY6XMMROGATGY2LGMV2GS3LFHU4TAMBQGAYA"
curl --data-urlencode "client_id=$CLIENT_ID" \
--data-urlencode "client_secret=$CLIENT_SECRET" \
--data-urlencode "device_code=$DEVICE_CODE" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:device_code" \
https://cilogon.org/oauth2/token
{
"access_token":"NB2HI4DTHIXS6ZDF...",
"refresh_token":"NB2HI4DTHIXS6ZDF...",
"id_token":"eyJ0eXAiOiJKV1Q...",
"token_type":"Bearer",
"expires_in":900
}
```
--------------------------------
### CILogon Token Request (Error Response)
Source: https://www.cilogon.org/device
Example of a cURL command to request a token from the CILogon token endpoint, resulting in an 'authorization_pending' error. This indicates the device client should continue polling.
```shell
export CLIENT_ID="cilogon:/client_id/6e8fdae3459dac6c685c6b6de37c188c"
export CLIENT_SECRET="euWajTysidMofassawoigDiweoj1olwa"
export \
DEVICE_CODE="NB2HI4DTHIXS6Y3JNRXWO33OFZXXEZZPN5QXK5DIGIXTGNJYMIZWCYZSGA2WMMJTHEZGENTDG42DSZJSH52HS4DFHVQXK5DIPJDXEYLOOQTHI4Z5GE3DENZTGE2DCMRRHAYDAJTWMVZHG2LPNY6XMMROGATGY2LGMV2GS3LFHU4TAMBQGAYA"
curl --data-urlencode "client_id=$CLIENT_ID" \
--data-urlencode "client_secret=$CLIENT_SECRET" \
--data-urlencode "device_code=$DEVICE_CODE" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:device_code" \
https://cilogon.org/oauth2/token
{
"error":"authorization_pending",
"error_description":"authorization pending"
}
```
--------------------------------
### Decode JWT ID Token using jq
Source: https://www.cilogon.org/device
Example of using the `jq` command-line tool to decode the base64-encoded payload of a JWT ID token. This is useful for inspecting user attributes within the token.
```shell
echo "eyJ0eXAiOiJKV1Q..." | jq -R 'split(".") | .[1] | @base64d | fromjson'
{
"email": "johndoe@gmail.com",
"given_name": "John",
"family_name": "Doe",
"name": "John Doe",
"iss": "https://cilogon.org",
"sub": "http://cilogon.org/serverA/users/12345",
"aud": "cilogon:/client_id/6e8fdae3459dac6c685c6b6de37c188c",
"token_id": "https://cilogon.org/oauth2/idToken/4ebf936e829678468e/162731549",
"auth_time": 1627315490,
"exp": 1627316391,
"iat": 1627315491
}
```
--------------------------------
### mod_auth_openidc Location Block
Source: https://www.cilogon.org/auth0
Define the access control for a specific URL path using mod_auth_openidc. This example requires valid user authentication for the /oidc/ location.
```apache
AuthType openid-connect
Require valid-user
```
--------------------------------
### Auth0 Fetch User Profile Script
Source: https://www.cilogon.org/auth0
This JavaScript function is used within Auth0 to fetch user profile information from CILogon after authentication. It makes a GET request to the CILogon userinfo endpoint and processes the response to create a user profile object for Auth0.
```javascript
function fetchUserProfile(accessToken, context, callback) {
request.get(
{
url: 'https://cilogon.org/oauth2/userinfo',
headers: {
'Authorization': 'Bearer ' + accessToken,
}
},
(err, resp, body) => {
if (err) {
return callback(err);
}
if (resp.statusCode !== 200) {
return callback(new Error(body));
}
let bodyParsed;
try {
bodyParsed = JSON.parse(body);
} catch (jsonError) {
return callback(new Error(body));
}
const profile = {};
profile.user_metadata = {};
profile.user_id = bodyParsed.sub;
const optional = [
"email", "family_name", "given_name", "name"
];
optional.forEach((opt) => {
if (bodyParsed[opt]) {
profile[opt] = bodyParsed[opt];
}
});
const attributes = [
"acr", "affiliation", "amr", "entitlement", "eppn", "eptid",
"eduPersonAssurance", "eduPersonOrcid", "idp", "idp_name",
"isMemberOf", "itrustuin", "member_of", "oidc", "ou",
"pairwise_id", "preferred_username", "sub", "subject_id",
"uid", "uidNumber", "voPersonExternalID"
];
attributes.forEach((attr) => {
if (bodyParsed[attr]) {
profile['user_metadata'][attr] = bodyParsed[attr];
}
});
callback(null, profile);
}
);
}
```
--------------------------------
### Set Optional CILogon Query Parameters
Source: https://www.cilogon.org/oidc
Demonstrates how to set optional query parameters like idphint and skin for CILogon authentication requests.
```apache
OIDCAuthRequestParams skin=ncsa&idphint=http%3A%2F%2Fgoogle.com%2Faccounts%2Fo8%2Fid,http%3A%2F%2Fgithub.com%2Flogin%2Foauth%2Fauthorize,http%3A%2F%2Forcid.org%2Foauth%2Fauthorize,urn%3Amace%3Aincommon%3Auiuc.edu
```
--------------------------------
### OA4MP CILogon Client Configuration
Source: https://www.cilogon.org/oidc
Sample configuration for an OA4MP OIDC client interacting with the main CILogon server.
```xml
myproxy:oa4mp,2012:/client_id/7a76544eb234d6c5436fcb9f710480669
https://cilogon.org/oauth2
https://cilogon.org/authorize
https://myclient.bigstate.edu/client2/ready
qhkEE47e54sXMD1E6EpyDaauvMAu02uUoXeRlLX0o915i6Cb_GArkN
dataOne
```
--------------------------------
### Construct Authorization URL
Source: https://www.cilogon.org/oidc
Construct the authorization URL for CILogon, including response type, client ID, redirect URI, and requested scopes. The 'openid' scope is mandatory.
```bash
https://cilogon.org/authorize?response_type=code&client_id=cilogon:/client_id/6e8fdae3459dac6c685c6b6de37c188c&redirect_uri=https://localhost/callback&scope=openid+profile+email+org.cilogon.userinfo
```
--------------------------------
### Retrieve User Information
Source: https://www.cilogon.org/oidc
Uses the obtained access token to fetch user profile information from the CILogon userinfo endpoint. The output is piped to `jq` for pretty-printing.
```bash
curl -d access_token=$CILOGON_ACCESS_TOKEN \
https://cilogon.org/oauth2/userinfo \
| jq
```
--------------------------------
### Configure mod_auth_openidc for Apache
Source: https://www.cilogon.org/oidc
Configure mod_auth_openidc in Apache to use CILogon for OpenID Connect authentication. Ensure your HTTPD server is configured for HTTPS.
```apache
LoadModule auth_openidc_module /usr/lib64/httpd/modules/mod_auth_openidc.so
OIDCProviderMetadataURL https://cilogon.org/.well-known/openid-configuration
OIDCOAuthServerMetadataURL https://cilogon.org/.well-known/openid-configuration
OIDCClientID "YOUR CLIENT IDENTIFIER"
OIDCClientSecret "YOUR CLIENT SECRET"
OIDCRedirectURI https://www.example.org/oidc/redirect
OIDCScope "openid email profile org.cilogon.userinfo"
OIDCCryptoPassphrase "A PASSPHRASE OF YOUR CHOOSING"
### OPTIONAL mod_auth_openidc CONFIGURATION PARAMETERS. FOR MORE INFO, SEE:
### https://raw.githubusercontent.com/zmartzone/mod_auth_openidc/master/auth_openidc.conf
OIDCPassRefreshToken On # If your application works with refresh tokens
OIDCSessionInactivityTimeout 3600 # If your application doesn't save user attributes
OIDCSessionMaxDuration 86400 # If your application doesn't save user attributes
```
--------------------------------
### Apache HTTPD OIDC Configuration
Source: https://www.cilogon.org/oidc
Basic Apache HTTPD configuration to enable OpenID Connect authentication for a specific location.
```apache
AuthType openid-connect
Require valid-user
```
--------------------------------
### Exchange Authorization Code for Token
Source: https://www.cilogon.org/oidc
Use this command to exchange an authorization code for an access token and a refresh token. The response is saved to a JSON file for parsing.
```bash
curl -d grant_type=authorization_code \
-d client_id=$CILOGON_CLIENT_ID \
-d client_secret=$CILOGON_CLIENT_SECRET \
-d code=$CILOGON_CODE \
-d redirect_uri=$CILOGON_REDIRECT_URI \
https://cilogon.org/oauth2/token \
> cilogon-token-response.json
```
--------------------------------
### mod_auth_openidc Configuration for Auth0
Source: https://www.cilogon.org/auth0
Configure the Apache mod_auth_openidc module to use Auth0 as an OpenID Connect provider. This includes setting the provider metadata URL, issuer, client ID, client secret, redirect URI, and scopes.
```apache
OIDCProviderMetadataURL https://dev-6y8b2h2hokjgf8yn.us.auth0.com/.well-known/openid-configuration
OIDCProviderIssuer https://dev-6y8b2h2hokjgf8yn.us.auth0.com/
OIDCClientID "MY TEST APP CLIENT ID COPIED FROM AUTH0 SETTINGS PAGE"
OIDCClientSecret "MY TEST APP CLIENT SECRET COPIED FROM AUTH0 SETTINGS PAGE"
OIDCCryptoPassphrase ThisIsARandomPassphraseCHANGEIT
OIDCRedirectURI https://example.org/oidc/redirect
OIDCScope "openid profile email"
```
--------------------------------
### Handle Redirect with Authorization Code
Source: https://www.cilogon.org/oidc
After successful authentication, CILogon redirects to your specified redirect URI with an authorization code. Extract this code from the URL.
```bash
https://localhost/callback?code=NB2HI4DTHIXS6Y3JNRXWO33OFZXXEZZPN5QXK5DIGIXTMYZTMU4TQMLDGVRGMY3EGA4TSNLDGFQTSNRXGVSTSMBZGIZDKNJ7OR4XAZJ5MF2XI2D2I5ZGC3TUEZ2HGPJRGYZTOMZVGM3TANRVHE3SM5TFOJZWS33OHV3DELRQEZWGSZTFORUW2ZJ5HEYDAMBQGA
```
--------------------------------
### OpenID Connect Discovery
Source: https://www.cilogon.org/oidc
The OpenID Connect discovery endpoint provides metadata about the OIDC provider, allowing clients to dynamically discover configuration details.
```APIDOC
## GET /.well-known/openid-configuration
### Description
Retrieves the OIDC provider's configuration metadata.
### Endpoint
https://cilogon.org/.well-known/openid-configuration
```
--------------------------------
### Device Authorization Request
Source: https://www.cilogon.org/device
Initiates the device authorization flow by sending client credentials and requested scopes to the device authorization server. The server responds with codes and URIs necessary for user authentication and token retrieval.
```APIDOC
## POST /oauth2/device_authorization
### Description
Requests device authorization from the server. The client sends its identifier, optionally a secret, and the desired scopes. The server returns codes and URIs for the user to complete the authorization process.
### Method
POST
### Endpoint
https://cilogon.org/oauth2/device_authorization
### Parameters
#### Request Body
- **client_id** (string) - Required - The CILogon OAuth2/OIDC client identifier.
- **client_secret** (string) - Optional - For Confidential Clients, the secret associated with the client_id. Omitted for Public Clients.
- **scope** (string) - Optional - A space-separated list of scopes to request. Public Clients can only request "openid". If omitted, registered scopes are assumed.
### Response
#### Success Response (200)
- **device_code** (string) - A code to be used when contacting the token endpoint.
- **user_code** (string) - A code to be entered by the user in a web browser.
- **expires_in** (integer) - Time in seconds until the user code expires.
- **verification_uri** (string) - The URL where the user can enter the user code.
- **verification_uri_complete** (string) - A URL that includes the user code for automatic entry.
- **interval** (integer) - The minimum time in seconds the device client must wait between token endpoint queries.
### Request Example
```bash
export CLIENT_ID="cilogon:/client_id/6e8fdae3459dac6c685c6b6de37c188c"
export CLIENT_SECRET="euWajTysidMofassawoigDiweoj1olwa"
curl --data-urlencode "client_id=$CLIENT_ID" \
--data-urlencode "client_secret=$CLIENT_SECRET" \
--data-urlencode "scope=openid email profile" \
https://cilogon.org/oauth2/device_authorization
```
### Response Example
```json
{
"device_code": "NB2HI4DTHIXS6Y3JNRXWO33OFZXXEZZPN5QXK5DIGIXTGNJYMIZWCYZSGA2WMMJTHEZGENTDG42DSZJSH52HS4DFHVQXK5DIPJDXEYLOOQTHI4Z5GE3DENZTGE2DCMRRHAYDAJTWMVZHG2LPNY6XMMROGATGY2LGMV2GS3LFHU4TAMBQGAYA",
"user_code": "PLK-NGF-V77",
"expires_in": 900,
"interval": 5,
"verification_uri": "https://cilogon.org/device/",
"verification_uri_complete": "https://cilogon.org/device/?user_code=PLK-NGF-V77"
}
```
```
--------------------------------
### Refresh Access Token using Refresh Token
Source: https://www.cilogon.org/oidc
Use a refresh token to obtain a new access token when refresh tokens are enabled for your client. The output contains new tokens, including a refresh token for future use.
```bash
curl -d grant_type=refresh_token \
-d client_id=$CILOGON_CLIENT_ID \
-d client_secret=$CILOGON_CLIENT_SECRET \
-d refresh_token=$CILOGON_REFRESH_TOKEN \
-d scope=scope=openid+profile+email+org.cilogon.userinfo \
https://cilogon.org/oauth2/token \
> cilogon-token-response.json
```
```bash
export CILOGON_ACCESS_TOKEN=$(jq -r .access_token < cilogon-token-response.json)
```
```bash
export CILOGON_REFRESH_TOKEN=$(jq -r .refresh_token < cilogon-token-response.json)
```
--------------------------------
### Device Authorization Request - cURL
Source: https://www.cilogon.org/device
Initiates the device flow by sending a POST request to the device authorization endpoint. Include client_id and optionally client_secret and scope. The response contains codes and URIs for user authentication.
```shell
export CLIENT_ID="cilogon:/client_id/6e8fdae3459dac6c685c6b6de37c188c"
export CLIENT_SECRET="euWajTysidMofassawoigDiweoj1olwa"
curl --data-urlencode "client_id=$CLIENT_ID" \
--data-urlencode "client_secret=$CLIENT_SECRET" \
--data-urlencode "scope=openid email profile" \
https://cilogon.org/oauth2/device_authorization
```
--------------------------------
### OAuth 2.0 Registration Endpoint
Source: https://www.cilogon.org/oidc
The OAuth 2.0 registration endpoint is used for registering new OIDC clients with CILogon.
```APIDOC
## POST /oauth2/register
### Description
Registers a new OAuth 2.0 client.
### Endpoint
https://cilogon.org/oauth2/register
```
--------------------------------
### JSON Web Key Sets (JWKS)
Source: https://www.cilogon.org/oidc
The JWKS endpoint provides the public keys used to verify the signature of tokens issued by CILogon.
```APIDOC
## GET /oauth2/certs
### Description
Retrieves the JSON Web Key Set (JWKS) for token verification.
### Endpoint
https://cilogon.org/oauth2/certs
```
--------------------------------
### PHP Script to Display OIDC Variables
Source: https://www.cilogon.org/oidc
A PHP script to display HTTP header variables set by mod_auth_openidc, useful for testing and debugging.
```php
echo '
OIDC Variables
$value) {
if ((preg_match("^OIDC",$key)) ||
(preg_match("^REMOTE_USER",$key))) {
echo "| $key | $value |
\n";
}
}
?>
' > /var/www/html/oidc/index.php
```
--------------------------------
### Store Authorization Code
Source: https://www.cilogon.org/oidc
Save the extracted authorization code into an environment variable for subsequent use in exchanging it for tokens.
```bash
export CILOGON_CODE=
NB2HI4DTHIXS6Y3JNRXWO33OFZXXEZZPN5QXK5DIGIXTMYZTMU4TQMLDGVRGMY3EGA4TSNLDGFQTSNRXGVSTSMBZGIZDKNJ7OR4XAZJ5MF2XI2D2I5ZGC3TUEZ2HGPJRGYZTOMZVGM3TANRVHE3SM5TFOJZWS33OHV3DELRQEZWGSZTFORUW2ZJ5HEYDAMBQGA
```
--------------------------------
### Auth0 Universal Login Branding Configuration
Source: https://www.cilogon.org/auth0
Customize the Auth0 Universal Login page by adding CILogon authentication button details. This includes specifying the display name, primary color, foreground color, and icon.
```javascript
authButtons: {
"CILogon": {
displayName: "CILogon",
primaryColor: "#4b794b",
foregroundColor: "#fff",
icon: "https://cilogon.org/images/cilogon-logo-40x40-b.png"
}
},
```
--------------------------------
### Custom OIDC Error Template
Source: https://www.cilogon.org/oidc
HTML file to handle OIDC errors by submitting error details to a specified URL.
```html
```
--------------------------------
### Auth0 Custom Action for CILogon Claims
Source: https://www.cilogon.org/auth0
Use this Node.js Action to assert CILogon attributes in Auth0 ID tokens. It iterates through a predefined list of attributes and sets them as custom claims if they exist in user metadata.
```javascript
exports.onExecutePostLogin = async (event, api) => {
const namespace = "https://cilogon.org/";
const attributes = [
"acr", "affiliation", "amr", "entitlement", "eppn", "eptid",
"eduPersonAssurance", "eduPersonOrcid", "idp", "idp_name",
"isMemberOf", "itrustuin", "member_of", "oidc", "ou",
"pairwise_id", "preferred_username", "sub", "subject_id",
"uid", "uidNumber", "voPersonExternalID"
];
attributes.forEach((attr) => {
if (event['user']['user_metadata'][attr]) {
api.idToken.setCustomClaim(namespace + attr, event['user']['user_metadata'][attr]);
}
});
};
```
--------------------------------
### OAuth 2.0 User Info Endpoint
Source: https://www.cilogon.org/oidc
The OAuth 2.0 user info endpoint returns claims about the authenticated end-user.
```APIDOC
## GET /userinfo
### Description
Retrieves claims about the authenticated end-user.
### Endpoint
https://cilogon.org/userinfo
```
--------------------------------
### Token Request
Source: https://www.cilogon.org/device
Polls the token endpoint to obtain tokens after user authorization. Handles both success and error responses.
```APIDOC
## POST https://cilogon.org/oauth2/token
### Description
Requests an access token, ID token, and refresh token using a device code obtained from the device authorization endpoint. This endpoint is polled by the device client until the user completes the authorization flow or the code expires.
### Method
POST
### Endpoint
https://cilogon.org/oauth2/token
### Parameters
#### Request Body
- **client_id** (string) - Required - The CILogon OAuth2/OIDC client identifier.
- **client_secret** (string) - Optional - For Confidential Clients, the secret associated with the client_id. Omitted for Public Clients.
- **device_code** (string) - Required - The device_code returned by the device_authorization endpoint.
- **grant_type** (string) - Required - This value must be "urn:ietf:params:oauth:grant-type:device_code".
### Request Example
```bash
export CLIENT_ID="cilogon:/client_id/6e8fdae3459dac6c685c6b6de37c188c"
export CLIENT_SECRET="euWajTysidMofassawoigDiweoj1olwa"
export \
DEVICE_CODE="NB2HI4DTHIXS6Y3JNRXWO33OFZXXEZZPN5QXK5DIGIXTGNJYMIZWCYZSGA2WMMJTHEZGENTDG42DSZJSH52HS4DFHVQXK5DIPJDXEYLOOQTHI4Z5GE3DENZTGE2DCMRRHAYDAJTWMVZHG2LPNY6XMMROGATGY2LGMV2GS3LFHU4TAMBQGAYA"
curl --data-urlencode "client_id=$CLIENT_ID" \
--data-urlencode "client_secret=$CLIENT_SECRET" \
--data-urlencode "device_code=$DEVICE_CODE" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:device_code" \
https://cilogon.org/oauth2/token
```
### Response
#### Success Response (200)
- **access_token** (string) - An access token for the userinfo endpoint.
- **id_token** (string) - A JWT containing user attributes.
- **refresh_token** (string) - A refresh token to obtain new access tokens (if enabled).
- **token_type** (string) - The type of token, typically "Bearer".
- **expires_in** (integer) - The time in seconds the token is valid.
#### Response Example (Success)
```json
{
"access_token": "NB2HI4DTHIXS6ZDF...",
"refresh_token": "NB2HI4DTHIXS6ZDF...",
"id_token": "eyJ0eXAiOiJKV1Q...",
"token_type": "Bearer",
"expires_in": 900
}
```
#### Error Response
- **error** (string) - Indicates the status, e.g., "authorization_pending", "slow_down".
- **error_description** (string) - A human-readable explanation of the error.
#### Response Example (Error)
```json
{
"error": "authorization_pending",
"error_description": "authorization pending"
}
```
```
--------------------------------
### OAuth 2.0 Device Authorization Endpoint
Source: https://www.cilogon.org/oidc
The OAuth 2.0 device authorization endpoint is used for device authorization flows.
```APIDOC
## POST /oauth2/device_authorization
### Description
Initiates the OAuth 2.0 device authorization grant flow.
### Endpoint
https://cilogon.org/oauth2/device_authorization
```
--------------------------------
### OAuth 2.0 Authorization Endpoint
Source: https://www.cilogon.org/oidc
The OAuth 2.0 authorization endpoint is used to obtain authorization from the resource owner and issue access tokens.
```APIDOC
## GET /authorize
### Description
Initiates the OAuth 2.0 authorization code grant flow.
### Endpoint
https://cilogon.org/authorize
```
--------------------------------
### OAuth 2.0 Token Endpoint
Source: https://www.cilogon.org/oidc
The OAuth 2.0 token endpoint is used to obtain access tokens by exchanging authorization grants.
```APIDOC
## POST /oauth2/token
### Description
Exchanges an authorization grant for an access token.
### Endpoint
https://cilogon.org/oauth2/token
```
--------------------------------
### OAuth 2.0 Introspection Endpoint
Source: https://www.cilogon.org/oidc
The OAuth 2.0 introspection endpoint is used to validate tokens.
```APIDOC
## POST /oauth2/introspect
### Description
Validates an access token.
### Endpoint
https://cilogon.org/oauth2/introspect
```
--------------------------------
### OAuth 2.0 Revocation Endpoint
Source: https://www.cilogon.org/oidc
The OAuth 2.0 revocation endpoint is used to revoke access or refresh tokens.
```APIDOC
## POST /oauth2/revoke
### Description
Revokes an access or refresh token.
### Endpoint
https://cilogon.org/oauth2/revoke
```
=== COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.